Fail2ban: Protecting Servers with Automated Log Monitoring

in Work, Security February 11, 2015

Reviewing Linux logfiles is a thing of nightmares for most system administrators. I don't say this because of the amount of potential data to sift through -- there are plenty of tools for maintaining one's sanity when it comes to the amount of data to sift through. I'm referring to the sheer number of login failures that can be found in /var/secure can drive a system administrator to madness.

Every system connected to the internet has a vulnerability. Even if a system is strictly utilizing key-based SSH authentication on a non-standard port, it can still be hacked. When logfiles aren't regularly audited, the door is left wide open for hackers to gain access to a system.

Fail2ban is a tool that actively monitors logfiles and can be configured to temporarily ban IP addresses after a set number of login failures (or potentially malicious activity) via iptables or another firewall tool. It can also be configured to generate e-mails when an IP address is banned.  This isn't the end-all solution to preventing unauthorized access to a protected system, but when paired with other precautions, it can be a very powerful tool.

While typically deployed to defend against brute force attacks on SSH and FTP logins, it can be configured to filter against several different services including Apache, Courier, and MySQL. 

Installation

Fail2ban isn't included in the base repositories, but it is a part of the EPEL.

RHEL 6 / CentOS 6

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# yum install fail2ban

RHEL 7 / CentOS 7

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm
# yum install fail2ban

Configuration

By default, fail2ban is disabled for all services. After completing installation, the next step will be to enable the filters for the specific services running on the server.

I prefer to keep the default configuration file intact for reference, as well as backup in the event I inadertently break something.

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ nano /etc/fail2ban/jail.local

The configuration varies from distribution to distribution, typically based on what servers and network management tools are shipped with a distribution. There are several global settings that can be found in the first several lines of the configuration file. Most importantly, the number of seconds that an offending IP address will be banned should be set. By default, this is set to 3600 seconds, or one hour. I typically raise this to a minimum of 7200 seconds.

bantime 7200

Next, I'll go over distribution-specific settings for SSH servers.

RHEL 6 / CentOS 6

RHEL 6 / CentOS 6 uses iptables for network management, and utilizes OpenSSH as the default SSH server. FTP-wise, ProFTP and VSFTP are the most common options. The SSH filter can be configured under the ssh-iptables heading.

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=MyServerName, dest=myEmail@myDomain.com, sender=myServer@myDomain.com]
logpath = /var/log/secure
maxretry = 5

The sendmail-whois line, part of the action, will generate an e-mail to the specified e-mail with the WHOIS information for offending IP addresses. This is useful for determining the locality of the offender, or if there is good reason, to report the abuse to the owner of the IP address. Many tools and appliances also exist that are capable of blocking entire countries from accessing the server, or in a more likely configuration, the full network that server is connected to.

RHEL 7 / CentOS 7

RHEL 7 / CentOS 7 made the jump to using systemd, with firewalld instead of iptables. This actually simplifies the configuration for SSH, with only one filter being needed.  

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s

Similar to RHEL 6 / CentOS 6, e-mails can be generated when an IP address is banned. Several actions have been pre-defined in the configuration file under the Actions heading. The default action is to only ban the offending IP address, this will need to be changed in order to receive an e-mail notification.

#
# ACTIONS
#
destemail = root@localhost
sender = root@localhost
mta = sendmail

...

action = %(action_mwl)s

action_mwl could also be replaced with action_xarf, which will generate an e-mail to the abuse contact of an IP addressm as listed in the WHOIS information.

Starting fail2ban

Once the configuration file has been saved, fail2ban can be started. It should also be configured to start at boot.

RHEL 6 / CentOS 6

$ service fail2ban start
$ chkconfig fail2ban on

RHEL 7 / CentOS 7

$ systemctl restart fail2ban
$ systemctl enable fail2ban

Wrapping It All up

This only covers the verry basics of getting fail2ban running on RHEL and CentOS servers. Additional configuration can be made to protect Apache and web applications, MySQL, mail servers, and even more. I may cover more of these in the future, but the best resources to discover more of fail2ban's capabilities is to visit the wiki and community portal.